Daniel Westermann-Clark wrote:
> On 2006-09-23 22:18:35 +0200, Bernhard Graf wrote:
> > my $esc =
> > $c->model('DB::Table')->result_source->schema->storage->dbh->get_in
> >fo(14); my $input = $c->request->params->{input}
> > $input =~ s/([_%])/$esc$1/g;
> >
> > Not very pretty, but always needed, where user input from external
> > sources is used inside SQL queries.
This statement let to confusion I guess. Of course this is only valid
for "SELECT ... WHERE ... LIKE" queries.
> Well, sure, if you're building SQL strings yourself. But DBIx::Class
> uses placeholders and bind variables unless explicitly told not to
> (NoBindVars), and even then makes a decent attempt to quote the
> values via the dbh.
What you mean is escaping quotes. I mean escaping wildchars.
Example:
Think of a search function. You enter a string. The application pre- and
appends "%" to it:
$search = '%' . $c->request->params->{input} . '%';
That string is then used in a query with LIKE.
But since the user might search for something that contains "_" or "%"
these characters must be escaped.
I always disliked the DBI-way to determine the escape character
$esc = $dbh->get_info(14)
but
$c->model('DB::Table')->result_source->schema->storage->dbh->get_info(14)
is much worse.
--
Bernhard Graf
_______________________________________________
List: http://lists.rawmode.org/cgi-bin/mailman/listinfo/dbix-class
Wiki: http://dbix-class.shadowcatsystems.co.uk/
IRC: irc.perl.org#dbix-class
SVN: http://dev.catalyst.perl.org/repos/bast/trunk/DBIx-Class/
Searchable Archive: http://www.mail-archive.com/[email protected]/
